tailscale
tailscale copied to clipboard
tailscale
iOS & macOS : device backup+restore accidentally clones tailscale keys
A user reported that upon getting a new iPhone, they backed up their old iPhone and then restored the contents using Apple's tools, and this also copied the tailscale keys (visible because both devices now show the same Tailscale IP address). It was not obvious how to work around the problem.
I think someone reported this with macOS previously, but I can't find the bug now. We should perhaps add some kind of "device identity" detection so that we regenerate keys when this happens.
This also happens with MacOS, just migrated to a new Macbook and have a duplicate tailscale IP on old Macbook. Tried deinstalling, removing all directories and reinstalling, but cannot get tailscale to assign unique IPs to the 2 different machines. Interestingly, both Macbooks are able to reach all other devices in the mesh, just not between them.
I was able to fix this by deleting all imported tailscale keys from the new Macbook's keychain.
Yup - on macOS that's the right solution. Unlike iOS, deleting the app on macOS does not wipe the app's keys from the keychain.
--- original message --- On November 28, 2020, 2:31 PM EST [email protected] wrote:
I was able to fix this by deleting all imported tailscale keys from the new Macbook's keychain.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe. --- end of original message ---
I think we need to add a "clear keychain entries" button somewhere in the app. It's the only platform where users don't have the ability to delete the state file provided by the OS.
FWIW, I've used other apps that were able to detect this by some means. I believe Signal was one such app. They showed a prompt with text like "Hey, it looks like you've restored this device from a backup. Would you like to use your old settings, or set it up as a new device?"
Rather than have users manually clear their keychain settings, detecting this for them on launch would be nice.
I went looking and I think recording and checking the "Vendor ID" will do what we want: https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor
In particular, this ID is stable for an app on phone, until the app is reinstalled.
If we kept a copy of the vendor ID next to the keychain entries, we could compare it to see if it's changed, and if it has, reset the logid and preferences. That means if someone uninstalls+reinstalls Tailscale they will have to log in again, but I believe that's a relatively uncommon action.
It looks like DCDevice.current.generateToken could also provide us with what we need (docs link). I'm not sure what the difference between identifierForVendor and DCDevice.current.generateToken is, but it's another another option to look into.
Hi, is there a way to workaround this issue on iOS? it seems that removing the app and reinstalling does not fix the issue. Thank you
In https://login.tailscale.com/admin/machines find the entry for the iOS device, click on the three dot menu to the far right of its entry, and click Remove.
On the iOS device click the three dot menu and select "Reauthenticate"
The device will get a new node key and be issued a new IP address.
As far as the underlying problem, this is the same as https://github.com/tailscale/tailscale/issues/506 and the solution likely to be the same: rotate node keys automatically when duplication is suspected. Closing as a duplicate.
In https://login.tailscale.com/admin/machines find the entry for the iOS device, click on the three dot menu to the far right of its entry, and click Remove.
On the iOS device click the three dot menu and select "Reauthenticate"
The device will get a new node key and be issued a new IP address.
I'm still seeing this problem.
iPhone working properly with Tailscale. Buy new iPhone and clone old phone onto new one. Both iPhones now connect to Tailscale with the same IP. I've logged both iPhones out of Tailscale and deleted their entry from the admin/machines interface. I then log each one back into Tailscale and they end up with the same IP.
Any suggestions? I've tried uninstalling Tailscale on both iPhones but that doesn't seem to help.
I also just ran into this - migrated my Mac, and now have two computers trying to grab the same identity. Tried signing out, signing in, revoking from the admin console, deleting and reinstalling... it wasn't until I found this issue I figured out I had to look in the keychain for it.
For macOS, on the cloned device:
- Quit the Tailscale application.
- Use "/Applications/Utilities/Keychain Access" to search for all keys named "tailscale". There should be three: tailscale-logdata, tailscale-machinekey, and tailscale-preferences. If you were using the app since one of its very early versions, there might be a fourth.
- Delete all three (or four), then start the Tailscale app again. It will re-create those keys and ask you to authenticate again.
For iOS, on the cloned device:
- force-quit the app.
- Go to the iOS Settings app > Tailscale and turn "Reset Keychain" on.
- Relaunch Tailscale, which will ask you to authenticate.
For macOS, on the cloned device:
- Quit the Tailscale application.
- Use "/Applications/Utilities/Keychain Access" to search for all keys named "tailscale". There should be three: tailscale-logdata, tailscale-machinekey, and tailscale-preferences. If you were using the app since one of its very early versions, there might be a fourth.
- Delete all three (or four), then start the Tailscale app again. It will re-create those keys and ask you to authenticate again.
For iOS, on the cloned device:
- force-quit the app.
- Go to the iOS Settings app > Tailscale and turn "Reset Keychain" on.
- Relaunch Tailscale, which will ask you to authenticate.
This reset method not apply to tailscaled. I have try 'sudo tailscaled uninstall-system-daemon', then reinstall tailscaled, it's still duplicate. And can't find any keys releate to tailscale in key access app. I also try the standlone app, failed to starting.
not resolved, it just happened to me, and I'm going in circles trying to fix it on both machines.
Only one machine needs to generate a new node key (and new Tailscale identity). The other will be able to use the one it had, once the two machines stop fighting over it.
For macOS, on the cloned device:
- Quit the Tailscale application.
- Use "/Applications/Utilities/Keychain Access" to search for all keys named "tailscale". There should be three: tailscale-logdata, tailscale-machinekey, and tailscale-preferences. If you were using the app since one of its very early versions, there might be a fourth.
- Delete all three (or four), then start the Tailscale app again. It will re-create those keys and ask you to authenticate again.
For iOS, on the cloned device:
- force-quit the app.
- Go to the iOS Settings app > Tailscale and turn "Reset Keychain" on.
- Relaunch Tailscale, which will ask you to authenticate.
Here are the directions that worked for me: Uninstalling Tailscale. Note that in addition to the above list, they say to delete a Network channel.
I have one residual issue: Tailscale now thinks the machine name I want to use is taken, even though it's not in active use on my admin console.
Only one machine needs to generate a new node key (and new Tailscale identity). The other will be able to use the one it had, once the two machines stop fighting over it.
Surely they notice? Wouldn't it take a few lines of code to have the younger identity start over when it sees a conflict? The initialization code is already there, and should be idempotent, one just needs to call it...
I just ran into this from doing a phone-to-phone direct transfer on iOS. Doing the steps in this thread of force-quitting the app / turning "Reset Keychain" on / relaunching did not do it. Even fully uninstalling the app and re-installing it ended up using the same node key upon re-logging-in.
The only thing that worked for me was revoking the node key in the web console, and then the app re-prompted to sign in and create a new node.
Just experienced this issue when restoring a new iPhone from local backup on Mac. FYI, although not sure if this is relevant, I used an encrypted backup.
- Reinstall the app from both devices and reauthorize: did not work
- Remove device from admin console and reauthorize: did not work
- Reset keychain from the settings on the old device and reauthorize: worked!
The secret sauce here is kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly when saving keys which prevents them from being included in iCloud backups.
We may need to write some code to migrate all existing entries and resave them with this attribute.
The "simple" fix for this, is to prevent our keychain entries from getting restored to a different device. This fixes the problems of duplicate nodes, but is arguably slightly user-hostile since it:
- Requires the user to set up the new device as new node - though there's a good argument to be made that this IS a new node - or the converse - we might be wrong always assuming that it isn't.
- Changing all of their ACLs to refer to the new node.
We're taking the path of tagging keychain items as "thisDeviceOnly" for the time being since this appears to be the more significant problem, and is a straightforward fix.
The problem of "I want Device B is to replace Device A, make it so everywhere and nuke Device A" is a much deeper rabbit hole. In a "traditional' IP network, this sort of this isn't uncommon if you swap out network card and break a static IP mapping (for example), but since our raison-d'etre is to fix problems with traditional IP networks, we should aim to do better.
resolved
How did you resolve the issue? I migrated from MacOS Intel to M3 (with the keys).
Followed the full Uninstall instructions from Tailscale.
Both machines install Tailscale as if its new, but after authenticating, they both end up getting the same IP.
